[EMAIL PROTECTED] wrote: > I'm having a tricky problem. What I am trying to do is to add an > object signing certificate to the NSS database. This can be done using > certutil, yes. But this is a xulapp that uses nsINSSCertCache, which I > fear is causing problems.
You shouldn't be manipulating the cache directly. I'm surprised that it is even possible to do so. Seems like a bug. > I need to know how to import object signing certificates to the > database using nsIX509CertDB. Currently I am calling certdb directly, > by creating a nsIProcess and calling the executable. I presume you mean certutil rather than certdb. Hopefully you know that two programs may not open the same cert DB at the same time without corrupting the DB, yes? So, you don't want to run certutil on the same DB that FireFox is using, while FireFox is running. > This is not having the desired effect. The consequence is that the > database changes the certificate from 'u,u,u' to ',,,' when doing a > certuil -L. Which causes the certificate not to show up, and a host of > other problems that can be only solved by deleteing the profile. When you say "doesn't show up", I gather you mean that you do not see it in FireFox's cert manager. Yes? I am interested in any cert that doesn't show up in cert manager. But let me see if I understand what you're trying to accomplish. You're writing a XUL app that will install a code signing cert and its related private key into the user's DBs, yes? If you accomplish that then, after running your XUL app, any user will be able to sign anything (any code or JAR file) with your cert, as if you signed it. Is that really what you want to do? (Hint, I would expect that your code signing cert would be revoked as soon as it became known that you were distributing the private key for it.) > The only way I have managed to get it to work is by adding my > certificate right after creating a certificate request, shutting down > my xulapp, relaunching and readding the certificate, shutting down and > relaunching again. Obviously, this is not very desirable for my users. > I don't know why this particular set of steps fixes it, but it does. Very strange. I'd guess it's due to the direct manipulation of the cache. But that's a guess. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
